[c-nsp] Securing virtual networks

Higham, Josh jhigham at epri.com
Thu Mar 13 19:12:09 EDT 2008


> From: Nate Carlson [mailto:cisco-nsp at natecarlson.com] 
> 
> On Thu, 13 Mar 2008, Higham, Josh wrote:
> > What methods are available for making sure that no traffic 
> leaks between 
> > virtual networks?  I am looking at doing some sort of 
> virtualization for 
> > a small enterprise network (so no software based 
> provisioning) and want 
> > to either prevent or detect misconfigurations.
> 
> What type of virtualization are you talking about? Something like 
> VMWare/Xen, or network virtualization?

Network virtualization.

> > If I restrict the address ranges I can use netflow and 
> ACLs, but that 
> > removes one of the benefits.  This isn't a hostile environment, but 
> > would include a guest network so malicious attacks are 
> possible, along 
> > with the obvious virus issues.
> 
> OK - so put the guest network off on it's own VLAN, and isolate it.

I know that I can isolate it in a VLAN, but I want to avoid having a
single point of failure.  If someone puts a port into the wrong VLAN,
and the user gets a DHCP address (two segregated user access networks,
for example) we might not know until it actually causes a problem by
releasing a virus (or worse, a directed malicious attack).

This is historically the reason for using physical seperation, but
that's no longer viable.  I am just wondering if there are any good ways
to protect against user error, or if people just ignore it.

Thanks,
Josh


More information about the cisco-nsp mailing list